May 12th, 2009

Microsoft plugs 14 PowerPoint security holes

Posted by Ryan Naraine @ 10:38 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Malware, Microsoft, Patch Watch, Responsible disclosure, Reverse Engineering

Tags: Security, Vulnerability, Microsoft PowerPoint, Microsoft Corp., Microsoft Office, Office Suites, Software, Ryan Naraine

Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.

The MS09-017 update, rated “critical,” includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files.

[ SEE: Patch Tuesday: Fix coming for PowerPoint zero-day ]

From the bulletin:

The security update addresses the vulnerabilities by modifying the way that PowerPoint handles conditions that could cause memory corruption when opening specially crafted PowerPoint files. This update also addresses the vulnerabilities by preventing Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002 from opening PowerPoint 4.0 native file formats.

Some of the issues affect Office for Mac but patches are not yet available for those users:

The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development. Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users.

Three of the 14 issues are described as “legacy file format vulnerabilities” that introduce code execution risk via specially crafted PowerPoint files.  They could be exploited via PowerPoint files in e-mail attachments, or hosted on a specially crafted or compromised Web site.

Microsoft’s Johnathan Ness explains:

We are addressing a number of PowerPoint converter cases by removing support for the format (PP40). Others were addressed by back-porting the latest Office 2003 SP3 converter code down-level to Office XP and Office 2000. For example, PP7X32.DLL has gone through extensive changes, addressing the externally-reported vulnerabilities listed in the bulletin but also introducing substantial hardening to the parsing engine. We hope that by doing this comprehensive update and by proactively addressing security vulnerabilities, we reduce the risk and help protect our customers from future vulnerabilities.

* Image source: cogdogblog’s photostream (Creative Commons 2.0)